1

How does your company track the vulnerability management information that happens between receiving a vulnerability scan report and remediating a vulnerability?

Given the following example:

Scan A detects
  Vuln 1
  Vuln 2
  Vuln 3

You decide not to remediate Vuln 2 and 3, but you do remediate Vuln 1. At a later date you conduct another scan (Scan B):

Scan B detects
  Vuln 2
  Vuln 3
  Vuln 4

Putting the vulnerability information into a large master spreadsheet along with remediation decisions (whether or not to remediate) and manually updating it would allow you to keep track of vulnerability decisions so you're not constantly re-evaluating the same vulnerabilities (Vuln 2 and 3 in the example above) from scan to scan.

Is it common practice to have a large master spreadsheet that contains the relevant information for vulnerabilities found by scans (target, vulnerability, risk ranking, remediation decisioning notes, etc...) that is manually kept up to date across vulnerability scans or is there some other common practice or well-known tool(s) that does a better job tracking this information?

anchovie
  • 23
  • 2

3 Answers3

1

I am using Database (Based on mysql and PHP). It is more valuable and easy to maintain. I don't like to use excel Spreadsheet. Therefore i have database and updates are done by manually.

All attributes which you have mentioned are included in my database and additionally i have been added how remediation was done or why it was not done.

Best Practices of Vulnerability Recordings are below.

  • Record all related Details about Vulnerability and remediate action.
  • do vulnerability assessment at least once a quarter, and compare with previous result.
  • According to second line, your records should be able to compare with previous result. therefore DB is more useful than excel sheet.
  • Do VA with Different methods and all details are needs to be recorded separately.
  • Record analysis are very important, Again database more helpful than excel sheet.
  • when you conduct Audit, result needs to be accessible without any delay and again database will be provided more flexible accessibility than excel sheet.
  • Main thing, Vulnerability Scan results are very sensitive and confidential data. It needs to be stored in high secure environment. Database will be provided high secure environment than excel sheet.
Infra
  • 650
  • 1
  • 6
  • 19
  • It's useful to know you're using a database - but the OP wanted to know about well known tools. Can you clarify if your tool is home-grown or as part of a product? – Terence Jan 07 '19 at 19:36
  • 1
    it is a home-grown tool – Infra Jan 08 '19 at 01:39
1

Salesforce have an open-source project called VulnReport that might be of interest to you. Although the project is more aimed towards pentest reports, I can imagine it could be used to achieve what you are describing above.

enter image description here

EdOverflow
  • 1,246
  • 8
  • 21
0

We will create a task in the ticketing system to track this and close the item once the vulnerability has been fixed.

Apparently you can search for vulnerabilities that you already fixed from the past scan history depending on which TVM application is using. Nessus have this capability. Qualys also can list out all fixed vulnerabilities.

AK47
  • 1
  • 1